Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] user ***** - am I hacked?
  • From: Marc Wiesenhütter <Marc.Wiesenhuetter@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 30 Dec 2001 13:37:22 +0100
  • Message-id: <3C2F0A82.9C4C2F57@xxxxxxxxxxxxxxxxxxxxx>
"Erwin Zierler - stubainet.at" wrote:

> Hi,
>
> first I would get for instance chkrootkit from
> http://www.chkrootkit.org - unzip/untar type 'make sense'
> in ./chkrootkit-0.34 and then run ./chkrootkit
>
> This will probably detect the most basic infections/trojans
> etc. Read the README file - it explains what it will do for you.
>
> With lsof|grep IPv4 you will be able to see alot of info on
> listening programs and open connections - this might show
> you if your system is running any servers that you actually
> dont know of. I say 'might' because the smarter hacker will
> hide his presence by replacing important commands like ls, ps,
> netstat and maybe also lsof - in which case you cannot trust
> the results anymore. I have found attacks by also checking
> for suspicious files in dirs like /tmp and so on. Some silly
> script kiddies leave enough info to make it possible to
> identify most of their activity - at least thats what I have
> experienced.
>
> Hope this will give you a start.
>
> Erwin
>
> ---

Hi,
thanks for your advise, i checked the 3 things, but there is nothing
strange at all. Everything looks normal but this user.
Where can I get any infos in my logs where ***** comes from?



< Previous Next >
Follow Ups